MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93
SHA3-384 hash:	f29d2610d432d629e8660a56e5a04967a4b55c7e54a48b1c2a1cd18b2ad59176c2080946ea20f3e199bc435ea0383c66
SHA1 hash:	b9aa8ed38cebe843367103b4fa9d3b7da5396fb0
MD5 hash:	97a6c2b963eccaa7e510b26ddf725241
humanhash:	georgia-zulu-island-ten
File name:	PO202016.bat
Download:	download sample
Signature	FormBook Create hunting rule
File size:	703'488 bytes
First seen:	2020-06-02 07:44:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:NCn82sK68kuQRKWy2fFyE8/sZ2s99791tDKlESSv7i0us:Nb2sK6bumKWy2kNw2E7oESS7HZ
Threatray	2'760 similar samples on MalwareBazaar
TLSH	0AE4AEA0C354DCB6D82D417DE0F9D1291397C76DA0958B2E585A30AD66BB323A0F7E0F
Reporter	abuse_ch
Tags:	bat FormBook Outlook

abuse_ch

Malspam distributing FormBook:

HELO: EUR02-AM5-obe.outbound.protection.outlook.com
Sending IP: 40.92.67.54
From: Karen Farre <Kayventures@hotmail.com>
Subject: June Purchase
Attachment: PO202016.bat

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Hzzv-7433640-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-02 08:36:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

18

AV detection:

26 of 48 (54.17%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=42lzb2iqwgaxxt5xctza7wqcw3qcjov5hx6ovd5jqimsskff36jq._file

Verdict:

malicious

Similar samples:

3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270

3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0

5c7b25c7496dfd38b4b8b2e0b77feaa6990cc65d2c376e49ede55188ffa0ea15

82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a

9047151fe524a34dffeacd46eba66b4b0a87beb7f3e513ba8e5c6ca367ccc505

9a4f09a04f936d38799360de7c824701e635ce56d7d014903a6934626c3042a0

a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91

b624f2628a187644b398db22269d178207461ea7180bc442b3623a0ec67d35f2

b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c

bd3afdd3cda53eebbebcc99b946ff7eb2f972fcf1c5a3a11ffcf633a46f1b853

+ 2'750 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-2mzh2acvrx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Maps connected drives based on registry

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.domaky.com/p2p/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample